You need to specify -Z to start TLS and use certs.From man ldapsearch:-Z Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.

leilei175@gmail.com writes:
> On the client side,I have set the TLS_REQCERT as demand.
> The TLS_CACERTDIR is also set, but I didn't put any certificate in the
> directory.
>
> To my surprise, even though no certificate is provided,
> ldapsearch could still succeed returning the data.
>
> Is this a bug?